b'COMPUTER SECURITY\nOF DELPHI FINANCIAL\nMANAGEMENT SYSTEM\n Department of Transportation\n\n  Report Number: FI-2003-094\nDate Issued: September 30, 2003\n\x0c                                                                                               2\n\n\n\n\n           U.S. Department of\n                                                   Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Computer Security                        Date:    September 30, 2003\n           of Delphi Financial Management System,\n           Department of Transportation\n           FI-2003-094\n\n  From:    Alexis M. Stefani                                       Reply to    JA-20\n                                                                   Attn. of:\n           Principal Assistant Inspector General\n            for Auditing and Evaluation\n    To:    Acting Assistant Secretary for Budget and\n            Programs/Chief Financial Officer\n\n           This report presents the results of our audit of computer security over the\n           Department of Transportation\xe2\x80\x99s (DOT) new financial management system\xe2\x80\x94\n           Delphi. In 1997, DOT decided that its existing accounting system did not meet\n           DOT\xe2\x80\x99s need to properly account for resources and provide timely and reliable\n           financial information to managers. DOT then embarked on an effort to acquire a\n           commercial off-the-shelf financial management system that fully complied with\n           Federal financial management and accounting requirements.\n\n           The replacement system, known as Delphi, provides significantly improved\n           financial management and reporting capabilities. For example, billions of dollars\n           worth of accounting adjustments that had to be manually processed outside the old\n           accounting system are now being processed by Delphi. DOT will be able to\n           produce financial statements from Delphi directly. Financial management staff\n           can also access Delphi for information with web design technologies. When fully\n           implemented, Delphi will be used to account for over $50 billion of funds\n           entrusted to DOT each year, including over $10 billion in contractor and employee\n           payments.\n\n           All DOT Operating Administrations (OA) have implemented Delphi, except the\n           Federal Aviation Administration (FAA), which is scheduled to convert to the new\n           system in October 2003. Delphi is maintained by FAA personnel at the Mike\n           Monroney Aeronautical Center (Aeronautical Center) in Oklahoma City, under the\n\x0c                                                                                                                           3\n\ndirection of the Office of the Secretary\xe2\x80\x99s Office of Financial Management. The\nsystem cost about $100 million to develop and deploy.\n\nThe objective of this audit was to determine whether Delphi is adequately secured\nto ensure the integrity, confidentiality, and availability of its operations.\nSpecifically, we assessed the following control areas: (1) security planning to\nensure that Delphi security risks are properly assessed; (2) access security to\nensure Delphi files, documents, and facilities are accessible only to authorized\npersonnel with proper separation of duties; (3) system software settings to ensure\nfirewall, network, database, and transmission controls are adequate;\n(4) configuration management controls to ensure that only authorized changes can\nbe made to Delphi; and (5) business continuity and contingency plans to ensure\nthe plans are adequate and have been tested.\n\nThe audit was conducted in accordance with Government Auditing Standards\nprescribed by the Comptroller General of the United States. Our audit scope and\nmethodology are discussed in Exhibit A.\n\nDOT provided comments (see Appendix) to our August 29, 2003 draft report.\nDOT concurred with all 5 findings and 17 recommendations in our report and has\ninitiated or completed corrective action for each recommendation.\n\nRESULTS IN BRIEF\n\nDelphi has significantly improved DOT\xe2\x80\x99s ability to account for funds and to\ngenerate financial information. However, DOT needs to enhance security and\ncontrols of Delphi operations in order to achieve the full potential of the\nreplacement system. Specifically, we found that some DOT employees could\nprocess unauthorized payments without being detected, and intruders could launch\nattacks as \xe2\x80\x9ctrusted parties1\xe2\x80\x9d through unsecured network connections.\n\nWe also determined that critical security measures, such as protecting sensitive\ninformation from unauthorized disclosure, were not implemented or enforced. In\naddition, changes made to Delphi were not properly tested and reviewed, which\ncould result in unauthorized program changes or system performance degradation.\nFinally, contingency planning was not adequate to ensure continued Delphi\nservices in the event of a disaster.2\n\n\n1\n    \xe2\x80\x9cTrusted parties\xe2\x80\x9d are users who are granted access to DOT\xe2\x80\x99s network or system resources that are not made available\n    to the general public.\n2\n    For security reasons, specifics concerning the weaknesses and vulnerabilities we identified and our audit procedures\n    are not discussed in this report, but were provided to DOT managers during the audit.\n\x0c                                                                                      4\n\nThese deficiencies existed because DOT did not pay adequate attention to security\nissues during the Delphi development process. Instead, the focus has been on\nassisting OA conversion efforts and enabling OAs to use Delphi for financial\nstatement reporting. Our review showed that while the vulnerabilities uncovered\nare significant, they are also correctable. To that end, DOT has initiated or\ncompleted corrective actions on many of the deficiencies we identified. Continued\nmanagement attention will be required to complete the remaining corrective\nactions and to provide ongoing assurance that security controls remain adequate to\nprotect sensitive information and resources from being compromised or lost.\n\nBased on the existence and magnitude of these vulnerabilities, we conclude that\nthe control environment for Delphi operations must be improved. Accordingly,\nwhen auditing DOT financial statements, auditors will need to perform additional\ntesting of financial transactions processed by Delphi.\n\n\xe2\x80\xa2 User Access Needs to Be Restricted to Ensure Payment and Financial\n  Reporting Integrity. Controls over payment processing in Delphi were\n  inadequate due to a lack of separation of duties. In financial systems, no single\n  individual should be given the authority to both request and approve payment.\n  However, we found 35 Delphi users were given authority to perform both\n  payment request and approval functions without any management review.\n\n   The number of users authorized to both request and approve payments could\n   increase to about 100 when FAA converts to Delphi. Currently, 61 FAA\n   employees have this authority to perform both functions, but the risk of\n   unauthorized payments was mitigated by a customized system control in the\n   old accounting system, which prohibited individuals from approving their own\n   payment requests. In contrast, Delphi is largely a commercial off-the-shelf\n   system and does not have the same customized control. Accordingly,\n   separating payment request and approval functions must be enforced in Delphi\n   to prevent one individual from both submitting and approving a transaction.\n   Implementing this separation of duties would require realignment of job\n   responsibilities in FAA accounting offices before the conversion.\n\n   We also found that an excessive number of DOT and contractor employees at\n   the Aeronautical Center were given system privileges that were not required to\n   perform their duties. As a result of these privileges, about 200 support\n   personnel could change accounting records without management approval or\n   install malicious software code in Delphi that could result in service\n   disruptions.\n\n   In addition, over 400 Aeronautical Center employees had unsupervised\n   physical access to the Delphi computer center, although about half were not\n\x0c                                                                                                                         5\n\n      responsible for Delphi operations. Once inside the computer center, these\n      employees could cause disruptions by issuing special commands on operator\n      consoles or sabotaging computer equipment.\n\n      During our audit, we did not identify any specific incidents of unauthorized\n      payments, accounting transactions, or software installations in Delphi. DOT\n      management has started enforcing separation of payment request and approval\n      functions at each OA and reducing system access assigned to support\n      personnel. Continued management attention is required to complete corrective\n      actions.\n\n\xe2\x80\xa2 Network Security Needs to Be Strengthened to Prevent Outside\n  Intrusions. We found over 30 vulnerabilities on the 2 web sites through which\n  Delphi receives transactions for processing. These vulnerabilities allowed\n  intruders to access sensitive information that could be used to gain\n  unauthorized access to, or launch attacks on, Delphi.\n\n      We also found that the local area network at the Aeronautical Center was\n      vulnerable to attack. Although the network was protected by firewall security3\n      against intrusions from the Internet, it was accessible through other remote\n      access mechanisms. We found over 120 unsecured telephone line (dial-up\n      modem) connections to the network. With such connections, intruders could\n      launch attacks as \xe2\x80\x9ctrusted parties\xe2\x80\x9d to disrupt Aeronautical Center network\n      operations. While these unsecured connections were not found on Delphi\n      computers, they were threats to Delphi because Delphi has to rely on the\n      Aeronautical Center network for communications support.\n\n      DOT management has eliminated all vulnerabilities we identified on Delphi\n      web sites and disconnected 35 unsecured dial-up connections. Action plans\n      need to be developed and implemented to secure the remaining connections\n      and to prevent recurrence of these problems.\n\n\xe2\x80\xa2 Security Controls Need to Be Enforced to Ensure Processing Integrity.\n  We found that basic system controls were not implemented in Delphi. When\n  compared with the old accounting system, Delphi lacked basic security\n  controls such as implementing proper password configuration to prevent\n  guessing, automatically deleting user accounts not used over a designated\n  period of time, or systematically removing terminated employees from system\n  access. These deficiencies existed partially due to a change in the system\n  processing environment. Delphi operates on a stand-alone server, which\n\n3\n    While firewall security helps prevent unauthorized access to an organization\xe2\x80\x99s private networks, it cannot protect\n    public web sites from being attacked.\n\x0c                                                                                   6\n\nrequires that security controls that are normally provided by a central security\nfunction (as was provided for the old accounting system) must now be\nperformed by Delphi managers.\n\nIn addition, the following requirements in the Delphi security plan have not\nbeen enforced.\n\n\xc3\x98 Protecting sensitive information. While most sensitive Delphi data are\n  encrypted during transmission, we found incidents where employees\xe2\x80\x99\n  Social Security Numbers and purchase card information are transmitted\n  over DOT networks in clear text and, if intercepted, can easily be copied.\n  In addition, tens of thousands of employees\xe2\x80\x99 Social Security Numbers\n  stored in Delphi for the expense reimbursement process are not protected.\n  Over 400 Delphi users can access this sensitive information, which reduces\n  employee privacy and risks identity theft. Unless this information is\n  properly protected, the magnitude of this exposure will increase\n  significantly when FAA converts to Delphi.\n\n\xc3\x98 Ensuring integrity of system interfaces. We found little evidence to show\n  that DOT has ensured that feeder systems, providing Delphi with detailed\n  financial data, are secure. A critical security requirement for Delphi is that\n  these feeder systems provide evidence of adequate security before being\n  allowed to share information with Delphi. We found that three of eight\n  feeder systems we selected for testing did not have any evidence of\n  adequate security. While the other five had such evidence, only one\n  provided it to Delphi management.\n\n\xc3\x98 Enforcing personnel accountability. We found that DOT did not hold\n  individuals accountable for keeping Delphi secure. The Delphi Security\n  Plan requires that DOT and contractor employees accept security\n  responsibilities by signing \xe2\x80\x9crules of behavior\xe2\x80\x9d documents before being\n  given access to Delphi. Such rules include not sharing passwords with\n  others and not disclosing sensitive information. We selected two OAs for\n  review and found that one was not aware of, and the other did not\n  consistently comply with, this requirement. As a result, management will\n  not be able to hold employees and contractors accountable for security\n  breaches.\n\n\xc3\x98 Conducting background checks. While background checks do not\n  guarantee a person\xe2\x80\x99s loyalty or trustworthiness, they provide valuable\n  information to help management determine whether an employee should be\n  given access to Delphi. We reviewed 14 individuals occupying sensitive\n  positions, such as maintaining network security, and found that 8 (about\n\x0c                                                                                                                    7\n\n          57 percent) DOT and contractor employees have not received adequate\n          background checks.\n\n      These security deficiencies existed because the Delphi security administrator\n      did not enforce security requirements specified by management. The\n      administrator is four levels below the Director of Delphi operations at the\n      Aeronautical Center and was focused on detailed administrative work such as\n      processing user access requests.\n\n      DOT is taking corrective actions such as enforcing proper password\n      configuration and ensuring that all interfaces are adequately secured. To help\n      improve security administration, DOT has now appointed a Delphi information\n      system security officer who will report to a higher level of authority. DOT\n      management needs to continue implementing security controls necessary in\n      Delphi, such as using secure mechanisms to transmit sensitive information,\n      protecting employee Social Security Numbers stored in Delphi, obtaining DOT\n      and contractor employees\xe2\x80\x99 signatures on the rules of behavior, and completing\n      proper background checks on personnel occupying sensitive positions.\n\n\xe2\x80\xa2 System Changes Need to Be Better Controlled. While the Delphi team used\n  a structured process to control system changes, we found that this process\n  needed to be strengthened because testing was inappropriately performed on\n  the production machine,4 key personnel were not involved in prioritizing\n  change requests or assigning staff to review test results, and critical testing\n  documents were not retained for future reference.\n\n      System changes should be made, tested, and reviewed in a test environment,\n      and only approved changes should be accepted and placed on the Delphi\n      production machine. While Delphi development staff performed detailed\n      testing on a test machine, they conducted the final testing, such as quality\n      assurance testing, on the production machine. This arrangement resulted in\n      two immediate concerns. First, problems experienced during testing could\n      have an adverse impact, such as performance degradation or system crashes,\n      on the Delphi production machine. Second, to ensure that only approved\n      changes are implemented on the production machine, system development staff\n      responsible for making program changes should not be allowed to access the\n      production machine. This separation of duties did not exist for Delphi.\n\n      Delphi had a Change Control Board (the Board) responsible for approving and\n      prioritizing change requests and assigning personnel to review test results.\n\n4\n    The Delphi production machine is the computer that is used to process financial transactions submitted by DOT\n    Operating Administrations.\n\x0c                                                                                     8\n\n   However, the Board was composed of only system development personnel at\n   the Aeronautical Center without any OA user representation. As a result, DOT\n   had limited assurance that Delphi incorporated only necessary changes\n   requested by the users. Also, the Delphi security administrator was not\n   involved to ensure that security was not negatively affected during a change.\n   In one instance, password security was inadvertently degraded during a system\n   change, but it was not detected for over 1 year until it was pointed out during\n   our audit.\n\n   While there was evidence that the Board reviewed and signed off on system\n   changes, we found that test plans and results were not retained. Without such\n   documentation, the Delphi team might experience additional difficulties when\n   researching future system problems.\n\n   As a result of our audit, DOT management has removed the test database from\n   the Delphi production machine. However, further DOT management attention\n   is needed to have OAs represented on the Change Control Board for reviewing\n   Delphi change requests and test results, require the security administrator to\n   ensure that security is not degraded during system changes, and develop a\n   policy for retaining system change documents based on the criticality of the\n   change.\n\n\xe2\x80\xa2 Contingency Plans Need to Be Enhanced and Tested. The April 2001\n  Delphi contingency plan was not adequate to ensure continued payment and\n  accounting operations in DOT in case of a major catastrophe at the\n  Aeronautical Center. The plan called for using an on-site portable computer\n  center as backup, which would not work if a disaster placed the entire\n  Aeronautical Center out of service. We also identified the need for the\n  Aeronautical Center to reduce its risk of losing major telecommunications\n  lines. While these communication lines used different entry points into the\n  Aeronautical Center, they converged in a single room before entering the data\n  center. Losing this room would leave Delphi inaccessible to all OA users.\n\n   During our audit, DOT management revised the Delphi contingency plan by\n   selecting an off-site facility for recovery processing. DOT performed limited\n   off-site tests on July 27 and September 7, 2003. However, management needs\n   to develop a plan to eliminate converging major telecommunications lines in a\n   single room at the Aeronautical Center.\n\nWe are making specific recommendations in this report to enhance computer\nsecurity over the Delphi system. These include recommendations to ensure\npayment and reporting integrity in Delphi, reduce vulnerabilities to attack from\n\x0c                                                                                        9\n\noutside intruders, add basic security controls to Delphi, ensure integrity of\nprogram changes in Delphi, and test contingency plans.\n\nManagement fully concurred with our findings and recommendations and, to its\ncredit, is taking corrective actions that, when fully implemented, will significantly\nenhance the integrity, confidentiality, and availability of DOT financial operations.\nThese corrective actions are in various stages of implementation. In some\ninstances, DOT management has completed corrective actions such as revising\nDelphi\xe2\x80\x99s contingency plan for improved disaster recovery capability and\nappointing a Delphi information system security officer who reports to a higher\nlevel authority. All other recommendations are scheduled to be implemented by\nDecember 2003.\n\x0c                                                                                       10\n\nFINDINGS AND RECOMMENDATIONS\n\nA. User Access Needs to Be Restricted to Ensure Payment and\n   Financial Reporting Integrity\n\nDOT did not establish appropriate system access controls to protect financial\ninformation stored in Delphi. Specifically, we found a lack of separation of duties\nbetween requesting and approving payments in Delphi, and excessive system and\nphysical access granted to Aeronautical Center support personnel. As a result,\nDOT employees and contractors could embezzle funds by processing unauthorized\npayments, change accounting records without management approval, or install\nmalicious software code in Delphi. During our audit, we did not identify any\nspecific incidents of unauthorized payments, accounting transactions, or software\ninstallations in Delphi.\n\nLack of Separation of Duties in the Payment Process\n\nControls over payment processing in Delphi were inadequate due to a lack of\nseparation of duties. In financial systems, no single individual should be given the\nauthority to both request and approve payments. However, we found 35 Delphi\nusers in 4 OAs and at the Aeronautical Center were given authority to perform\nboth payment request and approval functions without any management review.\n\nThe number of users authorized to both request and approve payments could\nincrease to about 100 when FAA converts to Delphi. Currently, 61 FAA\nemployees have authority to perform both functions. However, under the old\naccounting system, the risk of unauthorized payments was mitigated by a\ncustomized system control, which prohibited individuals from approving their own\npayment requests. In contrast, Delphi is largely a commercial off-the-shelf system\nand does not have the same customized control. Accordingly, separating payment\nrequest and approval functions must be enforced in Delphi to prevent one\nindividual from both submitting and approving a transaction. Implementing this\nseparation of duties would require realignment of job responsibilities in FAA\naccounting offices before the conversion.\n\nExcessive System Access to Delphi by Support Personnel\n\nWe found that an excessive number of DOT and contractor employees at the\nAeronautical Center were given access to Delphi\xe2\x80\x99s financial records or operating\nsystem although such access was not required for their duties. As a result of this\naccess, 182 DOT and contractor employees responsible for Delphi operations at\nthe Aeronautical Center could change accounting records without OA approval or\n\x0c                                                                                      11\n\ninstall malicious software code in Delphi that could result in service disruptions.\nSpecifically, system support personnel could:\n\n\xc3\x98 Change accounting records. We found that 71 system support personnel could\n  bypass detailed transaction processing controls and make direct changes to OA\n  general ledger account balances. While some Delphi system support personnel\n  may need to have such access for emergency adjustments, the access should be\n  limited and monitored. For example, an exception report listing all changes\n  should be provided to the OA for review.\n\n   Also, 61 of these individuals could make changes to prior-year accounting\n   records without management review and approval after the records have been\n   closed. Once financial statements have been certified by auditors, they should\n   be closed permanently. Any changes that need to be made should be processed\n   as prior-year adjustments. As a result of these excessive access privileges,\n   OAs had limited assurance of the integrity and accuracy of their financial\n   records.\n\n\xc3\x98 Change operating system software. We found that the majority (111 out of\n  122) of Delphi technical support personnel were inappropriately granted access\n  to the operating system that is used to control Delphi operations. This\n  excessive access presented a risk because these individuals could install\n  malicious software code that could result in disruptions to the Delphi system.\n\n   Equally important, we found that 5 of the remaining 11 individuals that had\n   legitimate needs to access the Delphi operating system were arbitrarily deleting\n   the audit trails of their access activities. This prevented management from\n   holding these users accountable for changes made to the Delphi operating\n   system.\n\nExcessive Physical Access to the Delphi Computer Center\n\nOnly personnel responsible for performing technical work, such as monitoring\ncomputer operations or maintaining hardware, should be given unsupervised\naccess to the computer center. However, we found that over 400 Aeronautical\nCenter employees were granted unsupervised physical access to the Delphi\ncomputer center, even though most of these individuals were not responsible for\nongoing operations or maintenance of the computer equipment in the center.\nMany of these individuals, such as 91 security guards and 40 building\nmaintenance staff, only needed to enter the computer room occasionally, and\ntherefore should be given temporary access, when needed.\n\x0c                                                                                       12\n\nOnce inside the computer center, these employees could cause disruptions by\nissuing special commands on operator consoles or by simply sabotaging computer\nequipment. When compared with other computer centers, physical access security\nat the Aeronautical Center was inadequate. For example, U.S. Coast Guard\xe2\x80\x99s main\ncomputer center houses more systems than the Aeronautical Center, but\nunsupervised access was granted to less than one-third of those allowed for the\nDelphi computer center.\n\nAs a result of our audit, DOT management has started enforcing separation of\npayment request and approval functions at each OA and reducing privileged\naccess assigned to support personnel. Continued management attention is required\nto complete corrective actions.\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Assistant Secretary for Budget and\nPrograms/Chief Financial Officer direct the Office of Financial Management to:\n\n   1. Separate the payment request and approval authority for the 35 employees\n      who currently have authority to do both, ensure that FAA follows the same\n      separation of duties guidelines before it converts to Delphi, and install a\n      process to ensure the separation of request and approval authority.\n\n   2. Determine which of the 71 system support personnel at the Aeronautical\n      Center require privileged access to Delphi accounting records, eliminate\n      privileged access for the remainder, and implement an exception report\n      listing transactions made by personnel who retain this access for OA\n      management review.\n\n   3. Eliminate all unnecessary access to Delphi\xe2\x80\x99s operating system for the\n      remaining support personnel we identified at the Aeronautical Center.\n\n   4. Establish procedures that require audit trails of user access to the operating\n      system be kept for a certain period of time and periodically reviewed by\n      management.\n\n   5. Reduce the number of staff granted unsupervised physical access to the\n      computer center to a small group of personnel responsible for operating and\n      maintaining the computer equipment in the center.\n\x0c                                                                                13\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nDOT has completed action on recommendations 1 and 5, and expects to complete\naction on recommendations 2, 3, and 4 by December 2003. The actions taken and\nin process are responsive to the recommendations.\n\x0c                                                                                     14\n\nB.    Network Security Needs to Be Strengthened to Prevent\n      Outside Intrusions\n\nWe found that Delphi web servers were not securely configured to prevent\nunauthorized access by non-DOT personnel. In addition, people outside DOT\ncould access the Aeronautical Center network, which supports Delphi\ncommunication operations, without going through firewall security checks. As a\nresult, intruders could make unauthorized changes to the Delphi system or disrupt\nits communication services.\n\nDelphi Web Sites Unsecured\n\nDelphi receives transactions through two web sites\xe2\x80\x94one is accessible through the\nInternet and the other is accessible through DOT\xe2\x80\x99s internal networks. Through\nthese Delphi web sites, users can make inquiries, request payments, or update fund\naccounting records in the Delphi database. If not properly configured, these web\nsites could allow unauthorized access to Delphi.\n\nBy using a commercial scanning tool, we identified over 30 vulnerabilities on the\nDelphi web sites. These vulnerabilities could allow intruders to bypass Delphi\nsecurity checks and make unauthorized changes to the Delphi database by\nexecuting remote commands. These weaknesses occurred because Delphi\xe2\x80\x99s web\nsites were not properly configured as recommended by the National Institute of\nStandards and Technology and the software manufacturer, such as replacing\nvendor-supplied passwords with individual passwords.\n\nDOT management has eliminated all vulnerabilities we identified and is working\nwith the software manufacturer to ensure proper configuration of Delphi web sites.\n\nAeronautical Center Network Vulnerable to Remote Access\n\nThe Aeronautical Center provides the network infrastructure supporting Delphi\ncommunication operations. If the network is disrupted, Delphi will be out of\nservice. Although the Aeronautical Center network was protected by firewall\nsecurity against intrusions from the Internet, it was not protected from other\nremote access mechanisms.\n\nBy using a commercial software tool, we found 124 unauthorized telephone line\nconnections (known as dial-up modems), which could allow individuals located\noutside of DOT to make connections with Aeronautical Center computers without\ngoing through firewall security. Once connected, intruders could launch attacks as\n\xe2\x80\x9ctrusted parties\xe2\x80\x9d to disrupt Aeronautical Center network operations. For example,\n\x0c                                                                                    15\n\nby using these dial-up connections, we were able to connect to and execute\ncommands on these computers from outside of DOT.\n\nOnly 11 of the 124 dial-up modems required password authentication, and none of\nthem used the call-back mechanism to validate the calling source, as required by\nDOT policy. At the time we identified the 124 dial-up modems, DOT\nmanagement was not aware of their existence and did not have a procedure in\nplace to authorize the use of modems. While these unsecured dial-up connections\nwere not directly associated with Delphi, they presented a threat to Delphi\noperations because Delphi relies on the Aeronautical Center network for\ncommunications support.\n\nThe Aeronautical Center management has completed its review of all dial-up\nmodems we identified and disconnected 35 of them. Currently, DOT is\ndetermining appropriate actions for the remaining modems.\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Assistant Secretary for Budget and\nPrograms/Chief Financial Officer direct the Office of Financial Management to:\n\n   1. Verify that Delphi web sites are securely configured, and periodically\n      inspect the Delphi web configuration to prevent recurrence of\n      vulnerabilities on Delphi web sites.\n\n   2. Complete corrective actions on the remaining dial-up connections.\n\n   3. Establish a process to control the use of dial-up modems in accordance with\n      DOT policy.\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nDOT has completed action on recommendation 1 and expects to complete action\non recommendations 2 and 3 by December 2003. The actions taken and in process\nare responsive to the recommendations.\n\x0c                                                                                       16\n\nC.    Security Controls Need to Be Enforced to Ensure\n      Processing Integrity\n\nWe found that basic system security controls were not implemented in Delphi.\nFor example, users were allowed to select short, simple passwords that could be\neasily guessed; unused user accounts were not removed; and access was not\nautomatically removed when an employee was terminated.                  In addition,\nrequirements specified in the Delphi security plan to protect sensitive information;\nensure system interface integrity; and require personnel accountability and\nbackground checks were not enforced. As a result, DOT did not have adequate\nassurance about the integrity and confidentiality of information processed in\nDelphi.\n\nLack of Basic System Controls\nDelphi lacked basic system controls that had been in place in the old accounting\nsystem partially due to a change in the system processing environment. While the\nold accounting system operates in a shared mainframe environment equipped with\na central security management function, Delphi operates in a dedicated server\nenvironment. This transition imposed additional responsibilities on Delphi\nmanagement for security implementation. We found the following basic system\ncontrols were missing in Delphi.\n\n\xc3\x98 Password configuration control. Password controls are generally considered a\n  system\xe2\x80\x99s first line of defense against unauthorized access. According to DOT\n  policy, passwords are required to contain at least eight alpha-numeric\n  characters to prevent easy guessing. However, this control did not exist in\n  Delphi. For example, during our Delphi testing, we were able to construct\n  passwords with only three characters, which could easily be cracked by a\n  hacker.\n\n\xc3\x98 Automatic time-out. Systems such as Delphi should automatically disconnect a\n  user after a specified period of inactivity, such as 15 minutes. Without this\n  control, unauthorized users can access unattended computers to process\n  fraudulent transactions. This is evidenced by an embezzlement in recent years\n  where an employee was able to use his supervisor\xe2\x80\x99s computer, while\n  unattended, to approve fraudulent payment requests in the old accounting\n  system.\n\n\xc3\x98 Disabling unused accounts. While user accounts not used for 90 days are\n  suspended in Delphi, they can be re-activated no matter how long the accounts\n  have stayed inactive. Once an account reaches 180 days of inactivity, the\n  account is not likely to be needed and should be removed to prevent\n  unauthorized use.\n\x0c                                                                                      17\n\n\n\xc3\x98 Removing terminated employees\' access. The old accounting system has the\n  ability to match terminated employee records reported by the personnel system\n  with a list of authorized users and remove their access. However, the Delphi\n  system has no systematic way to remove the access of terminated Federal\n  employees. As a result, we found that four employees still retained access to\n  Delphi after termination from DOT.\n\nDOT is taking corrective action to establish proper password configuration.\nHowever, DOT needs to continue implementing the remaining basic system\ncontrols such as disconnecting inactive sessions, deleting inactive user accounts,\nand systematically removing terminated employees\xe2\x80\x99 access to Delphi.\n\nDelphi Security Requirements Not Enforced\n\nAgencies are required to perform periodic Certification and Accreditation (C&A)\nreviews to determine whether a computer system is adequately secured\ncommensurate with the associated risks. The C&A review starts with a risk-based\nsecurity plan detailing security requirements needed for the system. While such a\nplan has been developed for Delphi, we found that the following requirements in\nthe Delphi security plan are not enforced.\n\n\xc3\x98 Protecting sensitive information. We found that access to the Social Security\n  Numbers and purchase credit card information was not restricted to people\n  who had a legitimate need to know. Over 35,000 employees\xe2\x80\x99 Social Security\n  Numbers and 678 Government-issued purchase card numbers are stored in\n  Delphi for the expense reimbursement process. Currently, over 400 Delphi\n  users can view all DOT employees\xe2\x80\x99 Social Security Numbers stored in the\n  system. This not only reduces employee privacy but also increases the risk of\n  identity theft. Unless corrective action is taken, the magnitude of this exposure\n  will increase significantly as a result of FAA\xe2\x80\x99s conversion to Delphi, which\n  will more than double the volume of sensitive information.\n\n   In addition, while most Delphi information is encrypted during transmission,\n   we found incidents where employee Social Security Numbers and purchase\n   card information were transmitted over DOT networks in clear text and, if\n   intercepted, could easily be copied.\n\x0c                                                                                        18\n\n\n\xc3\x98 Ensuring integrity of system interfaces. Delphi interfaces with over 30 feeder\n  systems, which provide Delphi with detailed financial data such as payroll\n  expenses or grant obligations. These interfaces account for $42 billion in\n  financial processing each year. A key security requirement for Delphi is that\n  these feeder systems provide evidence of adequate security in the form of C&A\n  documentation. C&A reviews are used to determine whether the system is\n  adequately secured. In addition, the owner of each system interfacing with\n  Delphi is required to sign a memorandum of agreement specifically\n  documenting that their system is secure.\n\n      These requirements are critical to ensure Delphi\xe2\x80\x99s own processing integrity.\n      For example, in an August 30, 2002 memorandum, Delphi management stated\n      that any feeder system not complying with these security requirements would\n      be disconnected from Delphi. To verify compliance with this requirement, we\n      judgmentally selected eight major interfacing systems for review. We found\n      that three of eight feeder systems did not have any evidence of adequate\n      security. Equally important, there is no action plan to ensure that these three\n      systems obtain such evidence in a timely manner to continue their interfaces\n      with Delphi. While the other five had such evidence, only one provided it to\n      Delphi management. DOT management needs to obtain security evidence\n      from feeder systems or disconnect their interface with Delphi by\n      October 31, 2003.\n\n\xc3\x98 Enforcing personnel accountability. Delphi\xe2\x80\x99s security plan requires that\n  employees and contractor personnel accept security responsibilities (rules of\n  behavior) before being given access to Delphi. These rules of behavior inform\n  users of their security responsibilities such as non-disclosure of passwords and\n  proper handling of sensitive information. Rules of behavior also serve as a\n  contract allowing management to hold users accountable in case of a security\n  breach.\n\n      We judgmentally selected 14 users from the Federal Transit Administration\n      and the Federal Railroad Administration for review. We found that four of\n      seven transit employees and all seven railroad employees had not signed rules\n      of behavior. We further found that the railroad security administrator was not\n      even aware of this security requirement.\n\n\xc3\x98 Conducting background checks. Background checks are key to ensuring\n  adequate personnel security. While background checks provide no guarantee\n  of a person\xe2\x80\x99s loyalty or trustworthiness, they provide valuable information that\n  might keep at-risk personnel from working on Delphi. DOT policy5 requires\n\n5\n    DOT Order 1630.2B, entitled \xe2\x80\x9cPersonnel Security Management,\xe2\x80\x9d dated May 30, 2001.\n\x0c                                                                                    19\n\n   that key computer positions, such as network administrators, be designated as\n   high risk and receive a higher level background check, called Background\n   Investigation.\n\n   We judgmentally selected 14 individuals occupying sensitive positions,\n   including network and database administrators, and found as shown in the table\n   below, that 8 (about 57 percent) employees and contractor personnel did not\n   receive Background Investigations.\n\n                   Background Checks on Sensitive Positions\n                                                Employees Needing a\n                           Total Employees\n         Sensitive                                  Background\n                                Tested\n         Positions                                  Investigation\n                         Federal Contractor Federal Contractor\n         Network\n                            1           6          1            2\n         Administrators\n         System\n                            0           5          0            3\n         Programmers\n         Database\n                            1           0          1            0\n         Administrators\n         Security\n                            1           0          1            0\n         Officer\n                            3          11          3            5\n         Totals\n                                  14                      8\n\n   These individuals served as the first line of defense for Delphi security. For\n   example, network administrators are responsible for network firewall security.\n   System programmers essentially controlled all aspects of Delphi system\n   operations. However, they did not receive proper background checks\n   commensurate with the sensitivity of their positions.\n\nThese deficiencies existed because the Delphi security administrator did not\nenforce security requirements. The administrator was four levels below the\nDirector of Delphi operations at the Aeronautical Center, and was focused on\ndetailed administrative work such as processing user access requests.\n\nTo help with the duties of security administration, DOT has now appointed a\nDelphi information system security officer who will report to a higher level of\nauthority. However, DOT management needs to continue implementing security\ncontrols necessary in Delphi, such as using secure mechanisms to transmit\nsensitive information, protecting employee Social Security Numbers stored in\nDelphi, obtaining DOT and contractor employees\xe2\x80\x99 signatures on the rules of\nbehavior, and completing proper background checks on personnel occupying\nsensitive positions.\n\x0c                                                                                     20\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Assistant Secretary for Budget and\nPrograms/Chief Financial Officer direct the Office of Financial Management to:\n\n   1. Enhance basic system controls such as establishing password configuration\n      controls, disconnecting users for inactivity during Delphi computer\n      sessions, disabling user accounts not used over a specified time period, and\n      systematically removing terminated employees\xe2\x80\x99 access to Delphi.\n\n   2. Restrict access to employee Social Security Numbers and purchase card\n      information stored in Delphi to people with a legitimate need to know, and\n      use secure mechanisms to transmit sensitive information on DOT networks.\n\n   3. Obtain evidence that all Delphi feeder systems are adequately secured from\n      their system owners, or disconnect their interfaces by October 31, 2003.\n\n   4. Obtain signed rules of behavior documents from all Delphi users, or\n      terminate their access by September 30, 2003.\n\n   5. Complete Background Investigations on the eight employees we identified.\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nDOT has completed action on recommendation 4, and expects to complete action\non recommendations 1, 2, 3, and 5 by December 2003. The actions taken and in\nprocess are responsive to the recommendations.\n\x0c                                                                                     21\n\nD. System Changes Need to Be Better Controlled\n\nWhile the Delphi team used a structured process to control system changes, we\nfound that change controls were not adequate in Delphi. Specifically, we found\nthat testing was inappropriately performed on the production machine, key\npersonnel were not involved in reviewing test results from system changes, and\ntesting documents were not retained for future reference. As a result, DOT has\nlimited assurance that only authorized changes were made to the system.\n\nTesting Work Performed on the Production Machine\n\nSystem changes should be made, tested, and reviewed in a test environment, and\nonly approved changes should be accepted into production. While Delphi system\nsupport staff performed detailed testing on a test machine, we found that they\nconducted quality assurance testing and stress testing on the production machine.\nProblems experienced during testing could have an adverse impact on the Delphi\nproduction machine. For example, stress testing could cause the production\nsystem to experience performance degradation or a system crash.\n\nAlso, to ensure that only approved changes are implemented in production, system\ndevelopment staff responsible for making program changes should not be allowed\nto access the production machine. By allowing system development staff to\nperform testing work on the production machine, management had limited\nassurance that only authorized program changes were made.\n\nKey Personnel Not Involved in the Change Control Process\n\nAn important principle in change control is ensuring that end-user needs are\nappropriately addressed when making changes to the system. Delphi had a\nChange Control Board (the Board) responsible for approving and prioritizing\nchange requests, and assigning personnel to review test results. However, the\nBoard was composed of only system development personnel at the Aeronautical\nCenter without any OA user representation. As a result, DOT has limited\nassurance that changes requested by users are adequately considered for Delphi.\nOA managers also expressed concerns that OAs were not being represented on the\nBoard and that their changes were not given sufficient priority.\n\nAlso, the Delphi security administrator was not involved in the change control\nprocess. As a result, there was little assurance that Delphi security would not be\nimpacted during the change. For example, in one instance, password controls\nwere set to a lower level on the test machine to facilitate program changes during\nan upgrade in October 2001. However, the controls were not reset to an\nacceptable level before the upgrade was installed on the production machine. The\n\x0c                                                                                      22\n\nlower level of Delphi security controls was not detected for over 1 year, until\npointed out during our audit.\n\nTesting Documents Not Retained\n\nWe judgmentally selected 10 System Change Requests completed in the past\n1-year period and reviewed the documentation supporting the modification and\ntesting process. While there was evidence of Board review and sign-off on system\nchanges, we found that test plans and results were not retained for these requests.\n\nDelphi management explained that the test plans and results were destroyed\nbecause of limited file storage space. Delphi management relied on approvals\nrecorded in the tracking system as evidence of adequate testing. However, without\nthese records, the Delphi team might experience additional difficulties when\nresearching future system problems. DOT needs to ensure that test documents\nsupporting critical changes are retained.\n\nAs a result of our audit, DOT management has removed the test database from the\nDelphi production machine. However, continued management attention is needed\nto have OAs represented on the Change Control Board for reviewing Delphi\nchange requests and test results, require the security administrator to ensure that\nsecurity is not degraded during system changes, and develop a policy for retaining\nsystem change documents based on the criticality of the change.\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Assistant Secretary for Budget and\nPrograms/Chief Financial Officer direct the Office of Financial Management to:\n\n   1. Include key personnel, such as the security administrator and OA user\n      representatives, on the Delphi Change Control Board to review and\n      prioritize change requests.\n\n   2. Issue guidance for retaining test plans and results of system changes based\n      on the criticality of the change.\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nDOT has completed action on recommendation 1 and expects to complete action\non recommendation 2 by December 2003. The actions taken and in process are\nresponsive to the recommendations.\n\x0c                                                                                       23\n\nE. Contingency Plans Need to Be Enhanced and Tested\n\nWe found that the April 2001 contingency plan for Delphi was not adequate to\nensure timely restoration of services for continued operations. Also, Delphi\noperations were vulnerable to telecommunications service disruptions at the\nAeronautical Center. As a result, should Delphi operations experience service\ndisruptions, it was unclear when the operation could be restored.\n\nDOT Order H1350.254, entitled "Guide to Continuity of Operations Planning,"\nrequires OAs to restore critical DOT operations in case of a disruption of services.\nHowever, the Delphi contingency plan was not adequate to ensure continued\npayment and accounting operations at DOT. The plan called for use of\non-site portable trailers containing computer hardware and electrical generators.\nThis plan was not adequate in case of a major catastrophe at the Aeronautical\nCenter because it would not be able to provide support, such as\ntelecommunications, to these trailers. The plan should have included an off-site\nfacility that provides for computer and telecommunications equipment necessary\nfor a quick recovery of Delphi services.\n\nWe also found that the Aeronautical Center is at risk of losing all\ntelecommunications lines, which would render Delphi inoperable. While these\nmajor telecommunications lines used different entry points into the Aeronautical\nCenter, they converged in one room before entering the data center. If a failure\noccurred in this room, such as a fire, all telecommunications to the data center\nwould be lost. Consequently, OA users would not be able to access Delphi to\nprocess payment requests or record accounting transactions.\n\nDuring our audit, DOT management revised the Delphi contingency plan by\nselecting an off-site facility for recovery processing. DOT performed limited\noff-site tests on July 27 and September 7, 2003. However, management needs to\ndevelop a plan to eliminate converging major telecommunications lines in a single\nroom at the Aeronautical Center.\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Assistant Secretary for Budget and\nPrograms/Chief Financial Officer direct the Office of Financial Management to:\n\n   1. Conduct a comprehensive system recovery test by September 30, 2003.\n\n   2. Develop and implement a plan to eliminate converging major\n      telecommunications lines in a single room at the Aeronautical Center.\n\x0c                                                                              24\n\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nDOT has completed action on both recommendations 1 and 2. The actions taken\nare responsive to the recommendations.\n\x0c                                                                                  25\n\nACTION REQUIRED\n\nActions taken and planned by DOT are reasonable. These issues are resolved,\nsubject to the follow-up requirements in DOT Order 8000.1C. Therefore, no\nfurther response is required.\n\nWe appreciate the courtesies and cooperation of DOT and the Operating\nAdministrations\' representatives. If you have questions concerning this report,\nplease call me at (202) 366-1992 or Ted Alves, Assistant Inspector General for\nFinancial and Information Technology Audits, at (202) 366-1496.\n\n                                      #\n\x0c                                                                                     26\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nWe used the General Accounting Office\xe2\x80\x99s Federal Information Systems Controls\nAudit Manual as a guide for this audit. Our review covered 12 DOT organizations\nusing Delphi during our audit period.\n\nWe reviewed and analyzed Delphi\xe2\x80\x99s security plan, system change control\nprocedures, interface control process, web configuration, firewall security rules,\nand contingency plan. We performed detailed analysis of system access privileges\nassigned to about 1,500 users, including system support personnel and OA users.\nWe physically inspected environmental control systems such as fire extinguishers,\nphysical access controls, backup power systems, and the backup file storage site.\n\nWe performed hands-on testing of Delphi password security and protection of\nsensitive information. We also judgmentally selected 10 system change requests,\n14 personnel background checks, and 14 users\xe2\x80\x99 acceptance of security\nresponsibilities for detailed review. We conducted interviews with key Delphi\nsupport personnel at the Aeronautical Center and OA users at DOT Headquarters.\n\nIn addition, we used various automated tools to test Delphi web and network\nsecurity. By using commercial scanning software, we performed a vulnerability\nassessment on Delphi web sites, firewall security, and selected computers. We\nalso used an automated tool to identify unauthorized telephone line connections\n(dial-up modem) to the Aeronautical Center networks. After identifying these\ndial-up modems, we made a manual effort to connect to them from outside of\nDOT and verified if these modems used password authentication or a call-back\nmechanism.\n\nOur audit work was performed between November 2002 and July 2003 at FAA\xe2\x80\x99s\nMike Monroney Aeronautical Center at Oklahoma City, Oklahoma, and DOT\nHeadquarters in Washington, D.C. The audit was conducted in accordance with\nGovernment Auditing Standards prescribed by the Comptroller General of the\nUnited States.\n\x0c                                                                27\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n  THE FOLLOWING INDIVIDUALS CONTRIBUTED TO THIS REPORT.\n\n\n   Name                     Title\n\n   Phil deGonzague          Project Manager\n\n   Ping Sun                 Senior Computer Scientist\n\n   James Mallow             Senior Auditor\n\n   Henry Lee                Computer Scientist\n\n   Brad Kistler             Information Technology Specialist\n\n   Jean Ablutz              Information Technology Specialist\n\x0c                                                                                             27\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n\n                                              September 12, 2003\n\n\nMEMORANDUM TO:                Theodore P. Alves\n                              Assistant Inspector General for Financial\n                                and Information Technology Audits\n\n                              Rebecca C. Leng\n                              Deputy Assistant Inspector General for\n                                Information Technology and Computer Security\n                               (original signed by A. Thomas Park)\nFROM:                     for Phyllis F. Scheinberg\n                              Acting Assistant Secretary for Budget and\n                                Programs/Chief Financial Officer\n\nSUBJECT:                      Draft Report on Computer Security and Controls\n                              Of Delphi Financial Management System,\n                              DOT Project Number 03F3002F0000\n\n\nThank you for the draft report of your audit on computer security and controls for Delphi, the\nnew financial management system that DOT is currently implementing. We appreciate the\nhelp your staff provided in identifying computer security and control issues so that we can\nensure that Delphi fully implements and maintains effective security and controls.\n\nWe have worked closely with your staff during the review and as you noted in your report,\nas soon as issues have been raised we have taken immediate action to mitigate risks and to\nstrengthen Delphi security and controls. Major corrective actions we have taken to enhance\nDelphi security and controls in response to your audit include:\n\n\xc2\xa7   Implemented a Disaster Recovery site at the Federal Aviation Administration (FAA)\n    Great Lakes Regional Office and conducted two successful disaster recovery tests with\n    your staff\xe2\x80\x99s participation.\n\n\xc2\xa7   Developed and implemented a Compatibility Matrix to ensure appropriate Separation\n    of Duties for all Roles and Responsibilities assigned to Delphi users.\n\n\xc2\xa7   Established and automated Rules of Behavior as part of the Delphi sign-in script.\n\n\xc2\xa7   Reduced the number of users with system access and with physical access to the Systems\n    Maintenance Facility, the data center at the Mike Monroney Aeronautical Center.\n\x0c                                                                                                                28\n\n\n\xc2\xa7     Reviewed and eliminated all Web vulnerabilities.\n\n\xc2\xa7     Submitted requests for upgrading the background level investigations for the remaining\n      Delphi system administrators.\n\n\xc2\xa7     Established the Delphi Management Committee composed of representatives from the\n      Operating Administrations (OAs) to guide operations and enhancements to the system.\n\n\xc2\xa7     Enhanced the System Change Request process to provide the OAs with greater input\n      on proposed system enhancements and the priorities for accomplishing them.\n\nAttached is a spreadsheet that provides more details on all the corrective actions we are taking\nand have completed to address the recommendations in your draft audit report.\n\nThe Oracle Federal Financials software used by Delphi provides extensive security features\nand controls, as described by Oracle security experts who met with your staff earlier this year.\nWe are working with the Chief Information Officer\xe2\x80\x99s staff to renew the Certification and\nAccreditation of Delphi and to ensure that all feeder systems have been properly Certified\nand Accredited.\n\nWe look forward to continuing to work with your staff to enhance Delphi security and controls\nfurther as the system continues to evolve beyond the implementation phase. Please refer any\nquestions to Larry Neff of the DOT Office of Financial Management at (202) 366-2335.\n\n\nAttachment1\n\ncc:\nDan Matthews\nLisa Schlosser\nLindy Ritz\nRobert Stevens\nKeith Burlison\nKeith Nelson\nCheryl Rogers\nLaura Ramoly\nMike Myers\nA. Thomas Park\nLarry Neff\nKean Miller\n\n\n\n\n1\n    For security reasons, the Attachment, which provided specifics on DOT\xe2\x80\x99s corrective actions, is not included in\n    this report.\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\x0c'